Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Span Port to Fiber Tap Problems

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Mon, 20 Oct 2003 11:44:20 -0400
Your fiber tap has a send and receive in one cable now. You need to split
the cable, plug half of each side in to a small switch (Cisco 3500 XL 8 port
gig with auto negotiation turned off) then span the two ports back in to one
port where you plug in your snort sensor. The Gigabit line you have snort
plugged in now is only presenting half of the conversation to snort so
stream4 is not allowing the packets to be processed because it is only
seeing half of the conversation. Let me know if you need more help, I have
this setup in several places.

vjl

-----Original Message-----
From: Dusty Hall [mailto:halljer () auburn edu] 
Sent: Monday, October 20, 2003 10:28 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Span Port to Fiber Tap Problems


  We recently purchased a Fiber tap so we could move away from a Span port.
After putting the tap into place and setting up a new system to monitor
traffic off this tap I can't quite seem to get Snort working correctly.

Using:
 Snort 2.0.1
 Intel Corp. 82544EI Gigabit Ethernet Controller
 Red Hat 9.0 (Dual Xeon CPU 2.80GHz with 2GB of Memory)
 Startup Config Below
 
  We see tons of traffic using tcpdump but Snort doesn't alert on much more
than the CHAT Rules & Portscans.  Is it dropping too many packets, it
reports dropping 18% (below).  Is there any configuration settings that I
might need to change?

Thanks,

-Dusty



*--------------------------------

[root@localhost snort_logs]# /usr/local/bin/snort -c
/usr/local/snort/etc/snort.conf -o -i eth0
Running in IDS mode
Log directory = /var/log/snort

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup: 
        eth0: no IPv4 address assigned

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Initializing Output Plugins!
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /usr/local/snort/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0
    Self preservation threshold: 500
    Self preservation period: 90
    Suspend threshold: 1000
    Suspend period: 30

Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Evasion alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
    MinTTL: 1
    TTL Limit: 5
    Async Link: 1
    State Protection: 0
    Self preservation threshold: 50
    Self preservation period: 90
    Suspend threshold: 200
    Suspend period: 30
Stream4_reassemble config:
    Server reassembly: INACTIVE
    Client reassembly: ACTIVE
    Reassembler alerts: ACTIVE
    Ports: 21 23 25 53 80 110 111 143 513 1433 
    Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 
http_decode arguments:
    Unicode decoding
    IIS alternate Unicode decoding
    IIS double encoding vuln
    Flip backslash to slash
    Include additional whitespace separators
    Ports to decode http on: 80 
rpc_decode arguments:
    Ports to decode RPC on: 111 32771 
    alert_fragments: INACTIVE
    alert_large_fragments: ACTIVE
    alert_incomplete: ACTIVE
    alert_multiple_requests: ACTIVE
telnet_decode arguments:
    Ports to decode telnet on: 21 23 25 119 
Using LOCAL time
Conversation Config:
   KeepStats: 0
   Conv Count: 32000
   Timeout   : 60
   Alert Odd?: 0
   Allowed IP Protocols:  All

1669 Snort rules read...
1669 Option Chains linked into 241 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->pass->activation->dynamic->alert->log->p2p

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.0.1 (Build 88)
By Martin Roesch (roesch () sourcefire com, www.snort.org)


============================================================================
===
Snort analyzed 619449 out of 763120 packets, dropping 143671(18.827%)
packets

Breakdown by protocol:                Action Stats:
    TCP: 362228     (47.467%)         ALERTS: 132       
    UDP: 24004      (3.146%)          LOGGED: 126       
   ICMP: 85282      (11.175%)         PASSED: 54744     
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 4112       (0.539%)
DISCARD: 0          (0.000%)
============================================================================
===
Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0          (0.000%)
============================================================================
===
Fragmentation Stats:
Fragmented IP Packets: 280        (0.037%)
    Fragment Trackers: 142       
   Rebuilt IP Packets: 138       
   Frag elements used: 276       
Discarded(incomplete): 0         
   Discarded(timeout): 134       
  Frag2 memory faults: 0         
============================================================================
===
TCP Stream Reassembly Stats:
        TCP Packets Used: 362228     (47.467%)
         Stream Trackers: 65924     
          Stream flushes: 3223      
           Segments used: 6647      
   Stream4 Memory Faults: 8531      
============================================================================
===
Snort exiting



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise 
Linux in the Boardroom; in the Front Office; & in the Server Room 
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: